Security Features In Android

Security is one of the most common concerns for any Android Application Developer. Android has various security features built into the operating system that takes care of security issues; however, it is still important for the developers to be familiar with Android Security Best Practices.

This article covers some general coding practices which can reduce chances of security breach and other problems.

1). Storing Data

An important security concern is whether the data, saved in the application, is protected from possible leaks and third party access.

Different Ways of saving data on the device.

Using internal storage

Using external storage

Using content providers

1.1). Using Internal Storage

Using internal storage makes it possible to receive Android security protection. This is because, by default, all files that are created and stored for one app in the Internal Storage are accessible to that concerned app only.

It is better to avoid the use of MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes. There are various reasons for that,

They don’t provide the ability to limit data access to other applications.

They don’t provide control on data format.

1.2). Using External Storage

An example of external storage is SD cards. Files created on such external storage are globally readable and writable. Users can modify the content with ease.

The security tip here is to perform input validation when handling data with external storage.

1.3). Using Content Providers

Content providers offer structured storage mechanism. It can be limited to own application or exported to allow access by other applications.

If you mark android:exported=false in the application manifest, it restricts other applications to access your Content.

2). Using Permissions

Permissions are very important while working with content providers. For example, if we want to create a ContentProvider that will be exported and used by other applications – we can either specify a single permission for reading and writing, or create distinct permissions for reading and writing within the manifest.

If we are using a content provider for sharing data within our own apps, it is advisable to use the android:protectionLevel attribute set to “signature” protection. This is because signature permissions do not require user confirmation.

It is better to minimize the number of permissions that the app requests. This reduces the risk of any misuse of those permissions. In short; if a Permission is not required for app to function properly, do not request it.